CVE-2025-59933 – CVE-2025-59933 is a buffer read overflow vulner... (How to Fix)

Q: What is the severity of CVE-2025-59933?

CVE-2025-59933 has a CVSS score of 7.8 (HIGH). CVE-2025-59933 is a buffer read overflow vulnerability in libvips when compiled with PDF support via poppler. It allows attackers to cause denial of service or potentially execute arbitrary code by providing a crafted PDF with a page that defines width but not height. Only users with libvips compiled with poppler-based PDF support are affected.

📋 TL;DR

CVE-2025-59933 is a buffer read overflow vulnerability in libvips when compiled with PDF support via poppler. It allows attackers to cause denial of service or potentially execute arbitrary code by providing a crafted PDF with a page that defines width but not height. Only users with libvips compiled with poppler-based PDF support are affected.

💻 Affected Systems

Products:

libvips

Versions: 8.17.1 and below

Operating Systems: All operating systems where libvips is compiled with poppler PDF support

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when compiled with PDF input support via poppler. Not vulnerable with PDFium support or without PDF support.

📦 What is this software?

Libvips by Libvips

View all CVEs affecting Libvips →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if the buffer overflow can be weaponized for arbitrary code execution.

🟠

Likely Case

Application crash or denial of service due to memory corruption when processing malicious PDF files.

🟢

If Mitigated

No impact if workarounds are applied or PDF support is disabled.

🌐 Internet-Facing: HIGH if the application processes user-uploaded PDF files, as exploitation requires no authentication.

🏢 Internal Only: MEDIUM if PDF processing is limited to internal users, but still poses risk from insider threats or compromised accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting a specific PDF file, but no authentication is needed to trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.17.2

Vendor Advisory: https://github.com/libvips/libvips/security/advisories/GHSA-q8px-4w5q-c2r4

Restart Required: Yes

Instructions:

1. Update libvips to version 8.17.2 or later. 2. Recompile any applications using libvips. 3. Restart services using libvips.

🔧 Temporary Workarounds

Block PDF loading via VipsForeignLoadPdf

all

Prevent PDF loading operations using vips_operation_block_set in application code.

vips_operation_block_set("VipsForeignLoadPdf", TRUE);

Set VIPS_BLOCK_UNTRUSTED environment variable

linux

Block all untrusted loaders including PDF input via poppler at runtime.

export VIPS_BLOCK_UNTRUSTED=1

🧯 If You Can't Patch

Disable PDF support in libvips by recompiling without poppler support.
Implement strict input validation to reject PDF files from untrusted sources.

🔍 How to Verify

Check if Vulnerable:

Check if libvips version is 8.17.1 or below and compiled with PDF support via poppler.

Check Version:

vips --version

Verify Fix Applied:

Verify libvips version is 8.17.2 or later, or confirm PDF loading is blocked via workarounds.

📡 Detection & Monitoring

Log Indicators:

Application crashes or segmentation faults when processing PDF files
Memory corruption errors in application logs

Network Indicators:

Unexpected PDF file uploads to applications using libvips

SIEM Query:

source="application.log" AND ("segmentation fault" OR "buffer overflow" OR "memory corruption") AND "pdf"

📊 Metadata

CVE ID: CVE-2025-59933

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-126

EPSS Score: 0.02% exploit probability (5.7th percentile)

Published: September 29, 2025

Last Updated: December 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59933, you might also want to check these: